search

shipshapecode / ember-cli-release

Ember CLI addon for versioned release management
MIT License
90 stars 18 forks source link

Dependencies becoming woefully out-of-date #69

Closed jacobq closed 4 years ago

jacobq commented 6 years ago

ember-cli 2.x has been around for years and 3.0.0 is in beta right now, yet this project is still on 1.x Several other dependencies (see list below) are multiple major versions behind the latest. This is particularly problematic for things like npm (see https://github.com/shipshapecode/ember-cli-release/issues/63). For this addon to continue to be useful / relevant I believe we really need to get it up to date. Is this project still maintained? Would you accept a PR updating dependencies provided that tests are still passing?

$ ncu
Using /..../ember-cli-release/package.json
[..................] \ :
 chalk                          ^1.0.0  →   ^2.3.0 
 git-tools                      ^0.1.4  →   ^0.3.0 
 make-array                     ^0.1.2  →   ^1.0.3 
 moment-timezone                ^0.3.0  →  ^0.5.14 
 nopt                           ^3.0.3  →   ^4.0.1 
 npm                            ~3.5.2  →   ~5.6.0 
 rsvp                          ^3.0.17  →   ^4.8.1 
 semver                         ^4.3.1  →   ^5.5.0 
 chai                           ^2.1.1  →   ^4.1.2 
 ember-cli                     1.13.13  →   2.18.1 
 ember-cli-dependency-checker    1.1.0  →    2.1.0 
 fs-extra                      ^0.18.0  →   ^5.0.0 
 glob                           ^5.0.1  →   ^7.1.2 
 mocha                          ^2.2.1  →   ^5.0.0 

The following dependencies are satisfied by their declared version range, but the installed versions are behind. You can install the latest versions without modifying your package file by using npm update. If you want to update the dependencies in your package file anyway, run ncu -a.

 require-dir   ^0.3.0  →  ^0.3.2 
 silent-error  ^1.0.0  →  ^1.1.0 
 rimraf        ^2.3.2  →  ^2.6.2
krukid commented 6 years ago

There are several deprecation warnings in my app caused by this package due to dated npm@3.5.4 dependency:

npm WARN deprecated lodash.isarray@4.0.0: This package is deprecated. Use Array.isArray.
npm WARN deprecated minimatch@1.0.0: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing Set-Cookie https://nodesecurity.io/advisories/130
npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
Alonski commented 6 years ago

Also interested in knowing when this will be updated